MRASCo Security Committee New Member Request

We are looking for information security and industry IT experts to support the MRASCo Security Committee (MSC) to review the information security arrangements of the MRASCo systems which contain personal data.

MSC is tasked, under the instruction of the MRASCo Board, with reviewing, managing and maintaining the security of the personal data contained within the systems owned by MRASCo. The objectives of the group are as follows;

Updating the MRASCo Board with the implications of changes to security and data protection regulations and policies that may have implications on the MRA or the data held within MRASCo systems.

Agreeing process, technical and governance changes that have been identified in order to strengthen the security of the MRASCo systems containing personal data.

Monitoring that information security and data protection obligations are met.

Reviewing the security, retention and destruction policies.

Investigating and managing security breaches of MRASCo systems.

Reviewing the outcome reports and summary of findings from the MRA system user audits, where applicable.

Ensuring that the existing processes in relation to the information security measures and data protection aspects included within the MRA are sufficient to protect the personal data held in MRASCo’s systems. This would support the recommendation from the Information Security Risk Assessment Report to introduce an assurance function to ensure compliance with the information security measures and data protection aspects included within the MRA and its subsidiary documents.

Please email MRAHelpdesk@gemserv.com if you or another representative wishes to participate in the Security Committee.

If you have any further questions, please do not hesitate to contact us.

Security Expert Group (SEG) September Update 2015

The Security Expert Group (SEG) has been tasked with reviewing and developing potential system, process and governance enhancements to ensure security of the data held within the MRASCo systems is maintained.

SEG last met on 14th September 2015 and reviewed the proposed GDCC user audit questions for Category 1 users. One minor amendment was made to the self-assessment questions, which have been provided to the MRA Executive Committee for further consideration.

In addition, the Group reviewed the draft Terms of Reference for a permanent Security Group as an enduring MRASCo Board sub-committee, which will be updated to include the feedback received and provided to the MRASCo Board for approval.

Finally, the secure distribution of ECOES and GDCC data was considered. A proposal to securely and flexibly distribute data with the appropriate security and access controls was approved and will be recommended to the MRA Executive Committee for further consideration. The proposal stipulates that Gemserv would receive master reports from the systems, which would be tailored to produce various reports for the industry. The output files would then be securely transferred to the recipients via a platform that would push notifications, in a similar way to Huddle, when a file is uploaded.

If you have any questions, or if you would like to attend the next SEG meeting, please contact MRAHelpdesk@Gemserv.com

Security Expert Group (SEG) August 2015 update

The Security Expert Group (SEG) has been tasked with reviewing and developing potential system, process and governance enhancements to ensure security of the data held within the MRASCo systems is maintained.

SEG last met on 4th August 2015 and reviewed the recently introduced quoracy arrangements for the Group, which will require four Supplier and two Distribution Business representatives in order for a decision to be made. In addition, the remit of SEG as an enduring MRASCo Board sub-committee was agreed and will be developed into a set of Terms of Reference.

SEG also reviewed the proposed scope of the GDCC user audit, which consisted of three categories of users that would be required to undertaken varying depths of audits:

A full GDCC User Audit;

A partial GDCC User Audit that assumes certain elements have already been assessed as compliant; and

A compliance review (rather than audit) for organisations with very limited access that is determined to be very low risk.

Due to the recent announcements regarding the Green Deal, SEG agreed for the Category 1 audit questions to be developed.

Finally, the secure distribution of ECOES and GDCC data was considered. A proposal to securely and flexibly distribute data with the appropriate security and access controls was reviewed and will be further developed ahead of the next meeting.

If you have any questions, or if you would like to attend the next SEG meeting, please contact MRAHelpdesk@Gemserv.com

Security Expert Group (SEG) July 2015 Update

The Security Expert Group (SEG) has been tasked with reviewing and developing potential system, process and governance enhancements to ensure security of the data held within the MRASCo systems is maintained.

SEG last met on 3rd July 2015 and reviewed the proposed ECOES user audit questions for both the compliance based and risk based approaches. The questions were approved and recommended to the MRA Executive Committee with the inclusion of an additional question regarding the ECOES Consolidated Monthly report.

The ECOES Consolidated Monthly Report Encryption Request For Information (RFI) responses were reviewed, which resulted in SEG agreeing to review the use of secure File Transfer Protocols (sFTPs) as a distribution method. The Expert Group agreed that two Change Proposals regarding the distribution method of the ECOES Consolidated Monthly Report should be raised as alternatives for consideration by the MRA Development Board (MDB).

Finally, SEG reviewed the drafting proposals in relation to Information Security. Both the MAP15 drafting regarding ECOES and the MAP18 drafting regarding the GDCC have been signed off in principle.

If you have any questions, or if you would like to attend the next SEG meeting on 4th August 2015, please contact the team at MRAHelpdesk@Gemserv.com

Security Expert Group (SEG) May 2015 Update

The Security Expert Group has been tasked with reviewing and
developing potential system and process enhancements to ensure
security of the data held within the MRASCo systems is maintained.
SEG last met on 5th May 2015 and carried out an in depth review
of the Information Security Risk Assessment report. The report detailed
23 risks, the associated mitigating actions and the required
next steps. The outputs of the report shaped a number of drafting
proposals in relation to Information Security measures contained
within the MRA and its subsidiary documents.
The ECOES Consolidated Monthly Report Request For Information
(RFI) responses were reviewed, which resulted in SEG agreeing a
number of principles, such as one user per company group should
have access to the data and that a two factor user authentication
approach should be adopted. As a result, a further RFI was issued
to seek the industries views on what the two factor user
authentication approach should be. Responses to the RFI were
due by 2nd June 2015.
SEG agreed that the audit approach should be expanded to
detail that parties are required to provide evidence to support their
responses and that the audit scope should be clearly defined.
Finally, SEG agreed that the project team should carry out the
required analysis, and provide the Group with their resultant
findings and proposals. In line with this suggestion, SEG will next
convene on 3rd July 2015, but ahead of this meeting date, are
expected to be reviewing and providing feedback on a number of
workstreams. For further details please contact the MRA helpdesk.